Canadian Government Unveils Big Loopholes in Anti-Spam Regulations

Industry Canada unveiled long-awaited revised anti-spam regulations on Friday for the Canadian Anti-Spam Law. The regulations are in draft form and comments can be submitted to the government until February 3rd. Given the intense lobbying by business groups to water down the legislation passed in 2010 and the initial draft 2011 regulations, it comes as little surprise to find that the proposed regulations include several significant loopholes and exceptions that undermine the effectiveness of the law. The key new regulations include:

Third-party referrals: the regulations include a broad new exception for third party referrals that will allow businesses to send commercial electronic messages without consent based merely on a referral from a third party. This issue was hotly debated when the bill was being drafted and, at the time, the government rejected claims that such an exception was warranted. In the face of intense lobbying, however, the opt-in approach to electronic marketing is being dropped and replaced by a system that allows for unsolicited commercial electronic messages based on third party referrals.

Personal relationships: the 2011 draft regulations featured a fairly restrictive definition for the personal relationship exception that allows for commercial messaging without consent where there is a family or personal relationship. The new definition is far broader and is likely to be used by many organizations based on limited contact. The regulation defines personal relationship as:

Those individuals have had direct, voluntary, two-way communications and it would be reasonable to conclude that the relationship is personal taking into consideration all relevant factors such as the sharing of interests, experiences, opinions and information evidenced in the communications, the frequency of communication, the length of time since the parties communicated and if the parties have met in person

Legal or juridical obligations: the new regulations exclude commercial emails that either satisfy legal or juridical obligations, enforce legal rights, or provide notice of an existing or pending right.

Computer programs: the new regulations include two new definitions for computer programs that are excluded from the scope of requirements in the law to obtain express consent when installing those programs. The new definitions cover efforts by telecom providers to install programs to "prevent activities that the telecommunications service provider reasonably believes are in contravention of an Act of Parliament and which present an imminent risk to the security of its network" or a program installed "for the purpose of updating or upgrading the network, by or on behalf of the telecommunications service provider who owns or operates the network on the computer systems that constitute all or part of the network."

business-to-business exceptions: the new regulations expand the scope of business-to-business communications to alleviate concerns they would be caught by the Act.

While the third party referral and personal relationship regulations will raise particular concern, the government did reject efforts to grandfather consents obtained under PIPEDA, the private sector privacy law. While marketing groups argued that obtaining new consents would be disruptive, the reality is that the anti-spam law creates tougher consent requirements (explicit opt-in consent vs. implied opt-out consent in some instances) and relying on the weaker, implied PIPEDA consents would be inappropriate.

Moreover, the law already features a lengthy transition period that will allow businesses to rely on their existing consents for three years after the legislation takes effect. In other words, despite the fear mongering about the anti-spam legislation, current customer lists will be exempted from the new consent requirements until 2017 (assuming the law does not take effect until 2014). Since the law was passed in 2010, seven years is surely enough time for businesses to ask Canadian consumers if they consent to the use of their personal information for marketing purposes.